Inside the simulation: What breach exercises really reveal

A good red team exercise goes beyond the question of whether or not they can get into an organisation, and asks what happens next. It can reveal how fast the organisation is able to detect and respond; and how effective that response is. 

Breach simulations follow the full adversary kill chain: reconnaissance, initial access, persistence, lateral movement, and exfiltration. 

The MITRE ATT&CK framework maps this process in forensic detail. It’s a globally accessible knowledge base of threat tactics and techniques, and it offers red teams a common language to emulate real-world threats – and blue teams a blueprint to detect them. 

As MITRE notes, the goal is realism: attackers and defenders both learn from running the same playbook.

But as Quinn Carman (Cybersecurity Leader, NSA) told us during an interview, “it’s very easy to attack a network, but that’s not the important part. The important part is what you deliver to the customer when you’re done.”

The simulation is only as valuable as the insight it delivers.

What the data says: Common attack paths and blind spots 

The 2024 data breach investigations report (DBIR) from Verizon examined 30,458 incidents and 10,626 confirmed breaches across 94 countries.

We’ve gathered just a few of the findings that should make every security team rethink what they test for:

• Exploitation of vulnerabilities as an initial access vector rose by around 180% year-on-year.
• 68% of breaches involved a non-malicious human element such as error or social engineering (SANS).
• Over the past decade, stolen credentials have appeared in roughly one-third of breaches, according to long-term DBIR trend data.
• Median time to remediate half of all critical vulnerabilities: 55 days.
• 15% of breaches involved a third-party component or supplier.

For red teams, that means a realistic simulation must include phishing, credential theft, and supply-chain weaknesses – not just technical exploits.

When we spoke to Rana Khalil (Application Security Team Lead, C3SA) about her pen testing academy, she said: 

“It’s surprising how some organisations lack a comprehensive catalogue of their web services – introducing a significant risk, since you can’t effectively secure what you’re not aware of!”

And many simulations surface that same truth; that defenders often lose sight not because attackers are too clever, but because visibility is too poor.

Beyond ‘gotcha’: turning simulations into resilience

If it’s done badly, red teaming can feel like humiliation theatre. A group of hackers get in, present a slide deck of flaws, and disappear. 

Carman said “If you just go and kick down the door, point and laugh at them, then leave – that doesn’t do anyone any good. You’re forgetting that you’re on their side.”

The best teams treat breach simulations as collaborative exercises. Their purpose, Carman added, “is to leave that organisation more secure than when we found it.”

And Khalil emphasised the reality that reactive security alone is dangerous. “Waiting until a cyber security breach occurs to start contemplating cybersecurity is a reactive approach that can lead to serious consequences and cause substantial technical and reputational harm,” she said. 

Today’s ‘purple team’ approaches, where red and blue teams work together continuously, reflect this shift from exposure to education. And it works – MITRE’s recent adversary emulation plans show how constant iteration improves detection times and breaks down silos between offensive and defensive functions.

The power of empathy and understanding adversaries 

If the DBIR’s human-error stat (68%) tells us anything, it’s that no simulation is complete without the people part. Attackers exploit distraction, pressure, and routine – not just code. 

And that empathy (if we take empathy to mean understanding other people, and using that understanding to either harm or help them) extends to both sides. As Carman said, “Saying something isn’t communication.” Translating technical exploits into business risk is as important as discovering them.

In our interview with Lance James (Founder & CEO, Unit 221B), he reminded us that “it’s easy to disassociate while on a computer, forgetting that it’s not just bits and bytes, but people’s lives at stake.”

Breach simulations succeed when they make that human dimension visible. When they really show defenders how attacks unfold. 

From exercise to evolution 

For us at Black Hat MEA, the real measure of a red-blue exercise is how much stronger everyone becomes afterwards. It’s not about who wins. 

The best red teams treat every simulation as a loop. They map each scenario to a recognised framework like MITRE ATT&CK, observe how blue teams respond under pressure, and use those lessons to refine both detection and communication.

When the debrief becomes a shared learning session, organisations start to embed security into their culture instead of reacting to each breach as a surprise. As Khalil said, security has to be “an inherent part of processes, not a reaction to incidents.” And empathy is the glue that holds that process together – because offence and defence only work when they understand each other’s intent.

Red and blue teams may wear different colours, but the same goal unites them: to understand, learn, and strengthen the organisation before the next real breach does the teaching. That’s what the best simulations truly reveal.